1. 首頁
  2. 問答
  3. 如果isset爲$ GET

如果isset爲$ GET

2011-05-07 69 views
0

以下是按預期工作的PHP代碼的摘錄。

但我想修改sql查詢。 除非設置了相應的第一,第二,第三個變量,否則內連接b,c,d,e不應該成爲查詢的一部分。

$word_first=$_GET["first"]; 
$word_second=$_GET["second"]; 
$word_third=$_GET["third"]; 
$word_forth=$_GET["forth"]; 
$word_fifth=$_GET["fifth"]; 
$word_sixth=$_GET["sixth"]; 
$word_seventh=$_GET["seventh"]; 
$word_eighth=$_GET["eighth"]; 


$query="select id, word from toprint as a 
inner join syl as b on b.word_id = a.id and b.char_id = '1' AND b.mychar LIKE '%".$word_first. "%' 
inner join syl as c on c.word_id = a.id and c.char_id = '2' AND c.mychar LIKE '%".$word_second. "%' 
inner join syl as d on d.word_id = a.id and d.char_id = '3' AND d.mychar LIKE '%".$word_third. "%' 
inner join syl as e on e.word_id = a.id and e.char_id = '4' AND e.mychar LIKE '%".$word_forth. "%' 
inner join syl as f on f.word_id = a.id and f.char_id = '5' AND f.mychar LIKE '%".$word_fifth. "%' 
inner join syl as g on g.word_id = a.id and g.char_id = '6' AND g.mychar LIKE '%".$word_sixth. "%' 
inner join syl as h on h.word_id = a.id and h.char_id = '7' AND h.mychar LIKE '%".$word_seventh. "%' 
inner join syl as i on i.word_id = a.id and i.char_id = '8' AND i.mychar LIKE '%".$word_eighth. "%' 
limit 2000";

來源

2011-05-07 shantanuo

+12

[SQL注入警報(http://en.wikipedia.org/wiki/SQL_injection) – 2011-05-07 17:46:11

+0

你可以寫一個有意義的和正確的標題? – markus 2011-05-07 17:56:23

回答

2 
<?php 

$word_fifth=mysql_real_escape_string($_GET["fifth"]); 
$word_sixth=mysql_real_escape_string($_GET["sixth"]); 
$word_seventh=mysql_real_escape_string($_GET["seventh"]); 
$word_eighth=mysql_real_escape_string($_GET["eighth"]); 


$query="select id, word from toprint as a"; 
if(isset($_GET["first"])) 
{ 
$query.="inner join syl as b on b.word_id = a.id and b.char_id = '1' AND b.mychar  LIKE '%".mysql_real_escape_string($_GET["first"]). "%' "; 
} 
if(isset($_GET["second"])) 
{ 
$query.="inner join syl as c on c.word_id = a.id and b.char_id = '1' AND c.mychar LIKE '%".mysql_real_escape_string($_GET["second"]). "%' "; 
} 
if(isset($_GET["third"])) 
{ 
$query.="inner join syl as d on b.word_id = a.id and d.char_id = '1' AND d.mychar LIKE '%".mysql_real_escape_string($_GET["third"]). "%' "; 
} 
if(isset($_GET["forth"])) 
{ 
$query.="inner join syl as e on e.word_id = a.id and d.char_id = '1' AND e.mychar LIKE '%".mysql_real_escape_string($_GET["forth"]). "%' "; 
} 



$query.="inner join syl as f on f.word_id = a.id and f.char_id = '5' AND f.mychar LIKE '%".$word_fifth. "%' 
inner join syl as g on g.word_id = a.id and g.char_id = '6' AND g.mychar LIKE '%".$word_sixth. "%' 
inner join syl as h on h.word_id = a.id and h.char_id = '7' AND h.mychar LIKE '%".$word_seventh. "%' 
inner join syl as i on i.word_id = a.id and i.char_id = '8' AND i.mychar LIKE '%".$word_eighth. "%' 
limit 2000";

?>

來源

2011-05-07 17:56:22

+0

我很抱歉,但是你是否錯過了一堆右括號? – Plummer 2013-11-05 05:46:33

1

如果你有超過表單控件,我建議改變字段的樣子:

<input type="..." name="word[2]" />

然後在你的PHP,你可以簡單地做:

foreach($_GET['word'] as $number => $value) { 
    $table = 'syl' . intval($number); 
    $query .= 'INNER JOIN syl AS ' . $table . ' ON a.id = ' . $table . '.id AND ' . $table . '.char_id = '. intval($number) . ' AND ' . $table . ".mychar LIKE '%" . mysql_real_escape_string($value) . "%'"; 
}

除了是無限可擴展,它也少了很多代碼。

無論你做什麼,不要忘記包括mysql_real_escape_string,因爲沒有它,你可以讓你的訪問者在你的查詢中注入任意他們想要的SQL。

來源

2011-05-07 17:52:37 VoteyDisciple

相關問題

 相關問題